#Handala: The Face of Iran's Cyber Retaliation Amidst Global Conflict

In late February, the United States and Israel launched a broad campaign of air strikes across Iran, prompting warnings from the cybersecurity industry that the country's retaliatory measures would include punishing, disruptive cyberattacks against Western targets. The first of those attacks arrived in the US on Tuesday night, with a devastating breach of the medical technology firm Stryker, which has reportedly disabled as many as tens of thousands of computers and paralyzed much of the company's global operations.

The Iranian hacker group behind the attack, known as Handala, has gained notoriety for its brazen and destructive cyber operations, which have targeted a range of organizations, including Israeli businesses and political officials. According to cybersecurity researchers, Handala is believed to be a front for Iran's Ministry of Intelligence, or MOIS, and has been linked to a wave of Iranian state cyber operators who pose as hacktivists while seeking to inflict noisy, often politically motivated chaos on adversaries.

"Handa-la has grown into 'probably the most dominant group,'" says Sergey Shykevich, who leads threat intelligence research at the Tel-Aviv-based cybersecurity firm Check Point. "They are the main face now." Handala has publicly claimed more than a dozen, mostly Israeli, victims since the start of the war two weeks ago, and has combined the noisy, chaotic playbook of a hacktivist group with the destructive capabilities of a nation-state.

Despite its opportunistic tactics, the breach of Stryker may be Handala's most impactful operation yet, given the company's continued struggle on Thursday to return to normal operations. Check Point's Shykevich says that Handala likely hacked Stryker because it could, rather than having a specific plan. "I'm not sure they had a plan," he says. "Probably they found an opportunity, and now it's a big win for them."

Handala's strategic thinking, however, shouldn't be overestimated. According to Rafe Pilling, director of threat intelligence at cybersecurity firm Sophos' X-Ops group, Handala's recent hacking campaign appears to be attempting to gain access to organizations quickly and do whatever damage it can in the midst of US and Israeli air strikes that have reportedly hit parts of Iran's cyber operations. "This doesn't have the hallmarks of a plan," Pilling says of Handala's recent hacking campaign. "It's likely the group is currently thrashing for targets of opportunity that they can hit in Israel or the US, to demonstrate that they are having some kind of retaliatory effect, but not from any kind of strategic perspective."

Security researchers first spotted the "Handala" brand being used toward the end of 2023, emerging after the October 7 attacks by Hamas on Israel and the country's subsequent bombardment of Gaza. When Handala first appeared, it seemed to have the public persona of a "pro-Palestinian hacktivist" group, but its hacking has been aligned with Iranian interests and linked back to the regime.

Handala's operations have been "consistent with Tehran's broader preference for proxy and cutout architectures that combine deniability with psychological impact," says Alexander Leslie, a threat intelligence analyst at security firm Recorded Future. In fact, Check Point has found that Handala is just one of several hacktivist fronts that it says—based on connections in the groups' malware and server infrastructure—all represent a single state-sponsored group of hackers that it calls Void Manticore.

As the conflict in Iran continues, Handala is seemingly attempting to find every possible leverage point to sow as much chaos as possible, often announcing a "stern warning" in its public messages or news that will "shake the cyber world." As one of Handala's posts put it, "control of the game is in our hands."

In conclusion, Handala's brazen cyber attacks on Stryker and other targets are a stark reminder of the escalating global conflict and its implications for cybersecurity. As the US and Israel continue to face off against Iran, Handala's hacking operations will likely remain a significant threat to Western targets.